| 1 |
Hi, |
| 2 |
|
| 3 |
I want to raise an issue resulting from my experience so far in using |
| 4 |
Gentoo as the basis of production systems. Some may ask why? - but |
| 5 |
basically 'portage' seems to offer the very best framework for ongoing |
| 6 |
maintenance/admin of systems, though it's not perfect in that role. |
| 7 |
|
| 8 |
In essence, the continuous, easy upgrade capability of portage is great |
| 9 |
for a development system and should be an excellent mechanism for |
| 10 |
critical security (and other) upgrades in a production environment (and |
| 11 |
it is). |
| 12 |
The problems arise because of the continuous easy upgrades!! - the main |
| 13 |
benefit is also the main problem. |
| 14 |
|
| 15 |
I have just hit a real life hassle with a security upgrade. The history |
| 16 |
of it goes like this: |
| 17 |
|
| 18 |
[background] |
| 19 |
The example system in trouble is an old P233, and used to be on the end |
| 20 |
of a dialup link (it's now ADSL). |
| 21 |
Gentoo has been installed for about 10 months and the last time it was |
| 22 |
brought completely up to date was about 6 months ago (emerge rsync && |
| 23 |
emerge -u world) |
| 24 |
[/background] |
| 25 |
|
| 26 |
|
| 27 |
[creating a problem] |
| 28 |
|
| 29 |
As you have guessed, I've just had some system problems - partly of my |
| 30 |
own creation, but partly because of how Gentoo operates. |
| 31 |
|
| 32 |
My real problem came from doing 'emerge rsync', and then just |
| 33 |
(selectively) doing 'emerge -u openssl' |
| 34 |
|
| 35 |
This installed 'openssl-0.9.7' and removed 'openssl-0.9.6' - |
| 36 |
unfortunately lots of stuff on the system was compiled and linked |
| 37 |
against 'openssl-0.9.6' and they promptly broke. IE. Serious outage on a |
| 38 |
production system. |
| 39 |
|
| 40 |
There is a script designed to fix this called 'revdep-rebuild' which |
| 41 |
scans all the installed binaries for broken dependencies and then |
| 42 |
recompiles them which should make them link against the nice new |
| 43 |
'openssl-0.9.7' |
| 44 |
|
| 45 |
except!!! - revdep-rebuild carefully tries to recompile the exact |
| 46 |
versions of software you have installed (good idea) - but the Gentoo |
| 47 |
central repository has since deleted some of the build scripts for these |
| 48 |
older versions and when I did the 'emerge rsync', the scripts were also |
| 49 |
removed from my system. So I ended up where I am now - I have to go |
| 50 |
through and do 'emerge -u world' and then 'revdep-rebuild' to get it all |
| 51 |
working... not nice when there are nearly 200 packages to |
| 52 |
download/recompile on an old P233 |
| 53 |
|
| 54 |
[/creating a problem] |
| 55 |
|
| 56 |
|
| 57 |
|
| 58 |
|
| 59 |
As you can see, I was intending to leave the installed set of packages |
| 60 |
(and versions) alone. For this machine (and any production system), I |
| 61 |
dont want to install each and every little patch as it comes along. The |
| 62 |
machine is 'stable' - so I only want to apply upgrades on a very |
| 63 |
selective, controlled, manual basis - but still use portage for the |
| 64 |
package management. |
| 65 |
This is a very common tactic for 'production' machines, where you want |
| 66 |
the minimum number of changes to reduce your risks of outage. |
| 67 |
|
| 68 |
The trap is that 'emerge rsync' removes old .ebuilds that your installed |
| 69 |
machine may need if revdep-rebuild is to be able to recovery things |
| 70 |
after a critical library is rebuilt. |
| 71 |
In the way portage works, the only time it is safe for 'emerge rsync' to |
| 72 |
delete ebuilds, is immediately after successfully doing 'emerge -u world'. |
| 73 |
|
| 74 |
|
| 75 |
Is there a way to suppress the 'delete' part of rsync? Maybe a setting |
| 76 |
in /etc/make.conf ? |
| 77 |
|
| 78 |
That way, even though Gentoo may have removed the relevant (old) ebuild |
| 79 |
I want, the target machine would have it's local portage version for |
| 80 |
future recompiles.... I can afford the disk space!!! |
| 81 |
|
| 82 |
|
| 83 |
|
| 84 |
|
| 85 |
Regards |
| 86 |
Ron OHara |
| 87 |
PS: This is not a 'casual' problem for me - I've convinced a client to |
| 88 |
use Gentoo for the basis of their deployments and the plan is supposed |
| 89 |
to be for around 900 sites!! - catering for production software support |
| 90 |
for the next decade is very relevant to things in this scenario. |
| 91 |
|
| 92 |
|
| 93 |
|
| 94 |
|
| 95 |
|
| 96 |
|
| 97 |
|
| 98 |
|
| 99 |
-- |
| 100 |
gentoo-dev@g.o mailing list |
Archives